Page MenuHomePhabricator

Track and list the services that Cloud Services that connect to internal network endpoints
Closed, ResolvedPublic

Description

Develop and maintain a manifest of what Cloud Services are actually consuming as far as internal network endpoints for future virtualization, tracking and consideration.

A jump start on this with a specific goal is T207536: Move various support services for Cloud VPS currently in prod into their own instances
Current resources include this list (which needs an update on labstores): https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/Neutron_ideal_model#supporting_services
An example config from our network management system is https://github.com/wikimedia/operations-homer-public/blob/master/templates/cr/firewall.conf#L1437

Event Timeline

Bstorm triaged this task as Medium priority.Mar 31 2020, 5:39 PM
Bstorm created this task.

Right away, I see that there are services in homer that have been decommissioned.
I see:

  • labstore1001/2/3 T187456 (replaced by cloudstore1008/9, which live in the public network)
  • labsdb1004/5/6/7 T216749 T220144 (all now on VMs)

Besides that:

  • dbproxy's for the wikireplicas are changing, which might just need a labeling change in comments T231520
  • port restrictions for labstores may have changed as a result of https://gerrit.wikimedia.org/r/c/operations/puppet/+/571821, which makes the labstore1004/5 set more firmly nfsv4 than they were. We may be able to close some of those ports that are currently open.
JHedden added a subscriber: JHedden.

Check if we have any netflow data from the network devices that would allow us to query src and dest traffic

Note that we only have netflow at our borders, and we sample 1:1000 so it might not be the right tool for now.

There are several options though: